ultraenv 1.0.0

package/bin/ultraenv.mjs

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+import { run } from '../dist/cli/index.js';
+run(process.argv.slice(2)).then(exitCode => process.exit(exitCode));

package/dist/chunk-2USZPWLZ.js

@@ -0,0 +1,288 @@
+import {
+  ENCRYPTED_PREFIX,
+  ENCRYPTION_ALGORITHM
+} from "./chunk-XC65ORJ5.js";
+import {
+  EncryptionError
+} from "./chunk-5G2DU52U.js";
+
+// src/utils/crypto.ts
+import {
+  randomBytes as cryptoRandomBytes,
+  createHash,
+  createHmac,
+  createCipheriv,
+  createDecipheriv,
+  hkdfSync,
+  timingSafeEqual as cryptoTimingSafeEqual
+} from "crypto";
+function deriveKey(masterKey, salt, info, length = 32) {
+  if (length < 1 || length > 255) {
+    throw new RangeError(`deriveKey: length must be between 1 and 255 bytes, got ${length}`);
+  }
+  try {
+    const derived = hkdfSync("sha256", masterKey, salt, Buffer.from(info, "utf-8"), length);
+    return Buffer.from(derived);
+  } catch {
+    return manualHkdf(masterKey, salt, info, length);
+  }
+}
+function manualHkdf(ikm, salt, info, length) {
+  const prk = createHmac("sha256", salt).update(ikm).digest();
+  const infoBuffer = Buffer.from(info, "utf-8");
+  const hashLen = 32;
+  const n = Math.ceil(length / hashLen);
+  if (n > 255) {
+    throw new Error("deriveKey: cannot derive more than 255 * 32 bytes");
+  }
+  const okm = Buffer.alloc(length);
+  let previous = Buffer.alloc(0);
+  for (let i = 1; i <= n; i++) {
+    const hmacData = Buffer.concat([
+      previous,
+      infoBuffer,
+      Buffer.from([i])
+    ]);
+    previous = createHmac("sha256", prk).update(hmacData).digest();
+    const offset = (i - 1) * hashLen;
+    const copyLen = Math.min(hashLen, length - offset);
+    previous.copy(okm, offset, 0, copyLen);
+  }
+  return okm;
+}
+function encrypt(key, plaintext) {
+  if (key.length !== 16 && key.length !== 24 && key.length !== 32) {
+    throw new RangeError(
+      `encrypt: key must be 16, 24, or 32 bytes (AES-128/192/256), got ${key.length}`
+    );
+  }
+  const iv = cryptoRandomBytes(12);
+  const algo = `aes-${key.length * 8}-gcm`;
+  const cipher = createCipheriv(algo, key, iv);
+  const ciphertext = Buffer.concat([
+    cipher.update(plaintext),
+    cipher.final()
+  ]);
+  const authTag = cipher.getAuthTag();
+  return { iv, authTag, ciphertext };
+}
+function decrypt(key, iv, authTag, ciphertext) {
+  if (key.length !== 16 && key.length !== 24 && key.length !== 32) {
+    throw new RangeError(
+      `decrypt: key must be 16, 24, or 32 bytes (AES-128/192/256), got ${key.length}`
+    );
+  }
+  const algo = `aes-${key.length * 8}-gcm`;
+  const decipher = createDecipheriv(algo, key, iv);
+  decipher.setAuthTag(authTag);
+  try {
+    return Buffer.concat([
+      decipher.update(ciphertext),
+      decipher.final()
+    ]);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(
+      `Decryption failed: ${message}. This usually means the key is wrong or the ciphertext was tampered with.`
+    );
+  }
+}
+function bufferToBase64(buffer) {
+  return buffer.toString("base64");
+}
+function base64ToBuffer(b64) {
+  return Buffer.from(b64, "base64");
+}
+
+// src/vault/encryption.ts
+var IV_LENGTH = 12;
+var AUTH_TAG_LENGTH = 16;
+function serializeEnvData(data) {
+  const keys = Object.keys(data).sort();
+  const lines = [];
+  for (const key of keys) {
+    const value = data[key];
+    const escapedValue = value.replace(/\n/g, "\\n");
+    lines.push(`${key}=${escapedValue}`);
+  }
+  return lines.join("\n");
+}
+function encryptEnvironment(data, key) {
+  if (key.length !== 32) {
+    throw new EncryptionError(
+      `Invalid key length: expected 32 bytes for AES-256, got ${key.length}`,
+      { hint: "Generate a new key using generateMasterKey() or ensure you are using the correct key file." }
+    );
+  }
+  if (Object.keys(data).length === 0) {
+    throw new EncryptionError(
+      "Cannot encrypt empty environment data",
+      { hint: "Provide at least one environment variable to encrypt." }
+    );
+  }
+  try {
+    const serialized = serializeEnvData(data);
+    const plaintext = Buffer.from(serialized, "utf-8");
+    const result = encrypt(key, plaintext);
+    return {
+      iv: result.iv,
+      authTag: result.authTag,
+      ciphertext: result.ciphertext,
+      algorithm: ENCRYPTION_ALGORITHM
+    };
+  } catch (error) {
+    if (error instanceof EncryptionError) throw error;
+    throw new EncryptionError("Failed to encrypt environment data", {
+      cause: error instanceof Error ? error : void 0
+    });
+  }
+}
+function decryptEnvironment(encrypted, key) {
+  if (key.length !== 32) {
+    throw new EncryptionError(
+      `Invalid key length: expected 32 bytes for AES-256, got ${key.length}`,
+      { hint: "Ensure you are using the correct decryption key for this environment." }
+    );
+  }
+  if (encrypted.algorithm !== ENCRYPTION_ALGORITHM) {
+    throw new EncryptionError(
+      `Unsupported algorithm: "${encrypted.algorithm}". Expected "${ENCRYPTION_ALGORITHM}".`,
+      { hint: "This vault was encrypted with a different algorithm. You may need to migrate the vault." }
+    );
+  }
+  if (encrypted.iv.length !== IV_LENGTH) {
+    throw new EncryptionError(
+      `Invalid IV length: expected ${IV_LENGTH} bytes, got ${encrypted.iv.length}`,
+      { hint: "The encrypted data may be corrupted." }
+    );
+  }
+  if (encrypted.authTag.length !== AUTH_TAG_LENGTH) {
+    throw new EncryptionError(
+      `Invalid auth tag length: expected ${AUTH_TAG_LENGTH} bytes, got ${encrypted.authTag.length}`,
+      { hint: "The encrypted data may be corrupted." }
+    );
+  }
+  try {
+    const plaintext = decrypt(key, encrypted.iv, encrypted.authTag, encrypted.ciphertext);
+    return plaintext.toString("utf-8");
+  } catch (error) {
+    if (error instanceof EncryptionError) throw error;
+    throw new EncryptionError(
+      "Failed to decrypt environment data. The key may be incorrect or the ciphertext was tampered with.",
+      /* v8 ignore start */
+      { cause: error instanceof Error ? error : void 0 }
+      /* v8 ignore stop */
+    );
+  }
+}
+function encryptValue(value, key) {
+  if (key.length !== 32) {
+    throw new EncryptionError(
+      `Invalid key length: expected 32 bytes for AES-256, got ${key.length}`,
+      { hint: "Generate a new key using generateMasterKey()." }
+    );
+  }
+  try {
+    const plaintext = Buffer.from(value, "utf-8");
+    const result = encrypt(key, plaintext);
+    const ivB64 = bufferToBase64(result.iv);
+    const authTagB64 = bufferToBase64(result.authTag);
+    const ciphertextB64 = bufferToBase64(result.ciphertext);
+    return `${ENCRYPTED_PREFIX}${ivB64}:${authTagB64}:${ciphertextB64}`;
+  } catch (error) {
+    if (error instanceof EncryptionError) throw error;
+    throw new EncryptionError("Failed to encrypt value", {
+      cause: error instanceof Error ? error : void 0
+    });
+  }
+}
+function decryptValue(encrypted, key) {
+  if (key.length !== 32) {
+    throw new EncryptionError(
+      `Invalid key length: expected 32 bytes for AES-256, got ${key.length}`,
+      { hint: "Ensure you are using the correct decryption key." }
+    );
+  }
+  if (!encrypted.startsWith(ENCRYPTED_PREFIX)) {
+    throw new EncryptionError(
+      "Invalid encrypted value format: missing required prefix",
+      {
+        hint: `Expected the value to start with "${ENCRYPTED_PREFIX}". This value may not have been encrypted by ultraenv.`
+      }
+    );
+  }
+  const payload = encrypted.slice(ENCRYPTED_PREFIX.length);
+  const parts = payload.split(":");
+  if (parts.length !== 3) {
+    throw new EncryptionError(
+      `Invalid encrypted value format: expected 3 colon-separated components after prefix, got ${parts.length}`,
+      {
+        hint: "The encrypted value should be in the format: encrypted:v1:aes-256-gcm:{iv}:{authTag}:{ciphertext}"
+      }
+    );
+  }
+  const ivB64 = parts[0];
+  const authTagB64 = parts[1];
+  const ciphertextB64 = parts[2];
+  if (ivB64 === void 0 || authTagB64 === void 0 || ciphertextB64 === void 0) {
+    throw new EncryptionError(
+      "Invalid encrypted value: unexpected component structure",
+      { hint: "The encrypted data may be corrupted. Try re-encrypting the value." }
+    );
+  }
+  if (ivB64.length === 0 || authTagB64.length === 0 || ciphertextB64.length === 0) {
+    throw new EncryptionError(
+      "Invalid encrypted value: one or more base64 components are empty",
+      { hint: "The encrypted data may be corrupted. Try re-encrypting the value." }
+    );
+  }
+  try {
+    const iv = base64ToBuffer(ivB64);
+    const authTag = base64ToBuffer(authTagB64);
+    const ciphertext = base64ToBuffer(ciphertextB64);
+    if (iv.length !== IV_LENGTH) {
+      throw new EncryptionError(
+        `Invalid IV length: expected ${IV_LENGTH} bytes, got ${iv.length}`,
+        { hint: "The encrypted data may be corrupted or was produced by a different version of ultraenv." }
+      );
+    }
+    if (authTag.length !== AUTH_TAG_LENGTH) {
+      throw new EncryptionError(
+        `Invalid auth tag length: expected ${AUTH_TAG_LENGTH} bytes, got ${authTag.length}`,
+        { hint: "The encrypted data may be corrupted." }
+      );
+    }
+    const plaintext = decrypt(key, iv, authTag, ciphertext);
+    return plaintext.toString("utf-8");
+  } catch (error) {
+    if (error instanceof EncryptionError) throw error;
+    const message = error instanceof Error ? error.message : String(error);
+    if (message.includes("Invalid") || message.includes("base64")) {
+      throw new EncryptionError(
+        "Invalid base64 encoding in encrypted value",
+        { hint: "The encrypted data may be corrupted. Ensure the value was not modified." }
+      );
+    }
+    throw new EncryptionError(
+      "Failed to decrypt value. The key may be incorrect or the ciphertext was tampered with.",
+      /* v8 ignore start */
+      { cause: error instanceof Error ? error : void 0 }
+      /* v8 ignore stop */
+    );
+  }
+}
+function isEncryptedValue(value) {
+  if (value.length < ENCRYPTED_PREFIX.length) return false;
+  return value.startsWith(ENCRYPTED_PREFIX);
+}
+
+export {
+  deriveKey,
+  bufferToBase64,
+  base64ToBuffer,
+  encryptEnvironment,
+  decryptEnvironment,
+  encryptValue,
+  decryptValue,
+  isEncryptedValue
+};

package/dist/chunk-3UV2QNJL.js

@@ -0,0 +1,270 @@
+import {
+  isSecretKey,
+  isSecretLike,
+  maskValue
+} from "./chunk-TE7HPLA6.js";
+import {
+  parseEnvFile
+} from "./chunk-HFXQGJY3.js";
+import {
+  exists,
+  readFile
+} from "./chunk-3VYXPTYV.js";
+import {
+  FileSystemError
+} from "./chunk-5G2DU52U.js";
+
+// src/environments/comparator.ts
+import { resolve, join } from "path";
+function parseEnvironment(content) {
+  const parsed = parseEnvFile(content);
+  const vars = {};
+  const keys = [];
+  for (const envVar of parsed.vars) {
+    if (!(envVar.key in vars)) {
+      vars[envVar.key] = envVar.value;
+      keys.push(envVar.key);
+    }
+  }
+  return { vars, keys };
+}
+function isSecretVar(key, value) {
+  if (isSecretKey(key)) return true;
+  if (value.length > 0 && isSecretLike(value)) return true;
+  return false;
+}
+var DANGER_PATTERNS = [
+  {
+    pattern: /^(SECURITY|CSRF|CORS|AUTH|SESSION|COOKIE)/i,
+    message: "Security configuration differs between environments",
+    severity: "critical"
+  },
+  {
+    pattern: /^(DEBUG|LOG_LEVEL|VERBOSE|TRACE)/i,
+    message: "Debug/logging settings differ \u2014 debug mode may be enabled in production",
+    severity: "high"
+  },
+  {
+    pattern: /^(ALLOWED_ORIGINS|CORS_ORIGIN)/i,
+    message: "CORS origin configuration differs \u2014 may expose to unintended origins",
+    severity: "high"
+  },
+  {
+    pattern: /^(DATABASE_URL|MONGO_URL|REDIS_URL)/i,
+    message: "Database connection differs \u2014 pointing to different databases",
+    severity: "medium"
+  },
+  {
+    pattern: /^(API_URL|BASE_URL|BACKEND_URL)/i,
+    message: "API endpoint differs \u2014 may point to wrong server",
+    severity: "medium"
+  },
+  {
+    pattern: /^(SSL|TLS|HTTPS|CERT|KEY|ENCRYPTION)/i,
+    message: "SSL/TLS configuration differs \u2014 security may be weakened",
+    severity: "critical"
+  },
+  {
+    pattern: /^(RATE_LIMIT|THROTTLE|MAX_REQUESTS)/i,
+    message: "Rate limiting differs \u2014 may be too permissive",
+    severity: "low"
+  },
+  {
+    pattern: /^(NODE_ENV|APP_ENV|ENVIRONMENT)/i,
+    message: "Environment mode differs",
+    severity: "high"
+  },
+  {
+    // Detect when a security feature is disabled in one env but enabled in another
+    pattern: /^(.*_ENABLED|.*_DISABLED|.*_ACTIVE|.*_PROTECTED)/i,
+    message: "Feature flag/security toggle differs between environments",
+    severity: "medium"
+  }
+];
+function detectDanger(key, value1, value2) {
+  for (const danger of DANGER_PATTERNS) {
+    if (danger.pattern.test(key)) {
+      return {
+        key,
+        message: danger.message,
+        severity: danger.severity,
+        value1: isSecretVar(key, value1) ? maskValue(value1) : value1,
+        value2: isSecretVar(key, value2) ? maskValue(value2) : value2
+      };
+    }
+  }
+  const urlPattern = /^https?:\/\//i;
+  if (urlPattern.test(value1) && urlPattern.test(value2)) {
+    try {
+      const url1 = new URL(value1);
+      const url2 = new URL(value2);
+      if (url1.hostname !== url2.hostname) {
+        return {
+          key,
+          message: `URL host differs: "${url1.hostname}" vs "${url2.hostname}"`,
+          severity: "medium",
+          value1: isSecretVar(key, value1) ? maskValue(value1) : value1,
+          value2: isSecretVar(key, value2) ? maskValue(value2) : value2
+        };
+      }
+    } catch {
+    }
+  }
+  if ((value1.toLowerCase() === "true" || value1 === "1") && (value2.toLowerCase() === "false" || value2 === "0")) {
+    return {
+      key,
+      message: `Feature toggled off: "${key}" changed from enabled to disabled`,
+      severity: "medium",
+      value1,
+      value2
+    };
+  }
+  return null;
+}
+async function compareEnvironments(env1, env2, cwd, _schema) {
+  const baseDir = resolve(cwd ?? process.cwd());
+  const env1Path = join(baseDir, `.env.${env1}`);
+  const env2Path = join(baseDir, `.env.${env2}`);
+  const resolvedEnv1Path = env1.includes("/") || env1.includes("\\") ? resolve(env1) : env1Path;
+  const resolvedEnv2Path = env2.includes("/") || env2.includes("\\") ? resolve(env2) : env2Path;
+  if (!await exists(resolvedEnv1Path)) {
+    throw new FileSystemError(
+      `Environment file not found: "${resolvedEnv1Path}"`,
+      {
+        path: resolvedEnv1Path,
+        operation: "read",
+        hint: `Ensure ".env.${env1}" exists in the project directory.`
+      }
+    );
+  }
+  if (!await exists(resolvedEnv2Path)) {
+    throw new FileSystemError(
+      `Environment file not found: "${resolvedEnv2Path}"`,
+      {
+        path: resolvedEnv2Path,
+        operation: "read",
+        hint: `Ensure ".env.${env2}" exists in the project directory.`
+      }
+    );
+  }
+  const env1Content = await readFile(resolvedEnv1Path);
+  const env2Content = await readFile(resolvedEnv2Path);
+  const env1Parsed = parseEnvironment(env1Content);
+  const env2Parsed = parseEnvironment(env2Content);
+  return compareEnvironmentVars(env1, env2, env1Parsed, env2Parsed);
+}
+function compareEnvironmentVars(env1Name, env2Name, env1Parsed, env2Parsed) {
+  const env1Keys = new Set(env1Parsed.keys);
+  const env2Keys = new Set(env2Parsed.keys);
+  const onlyInEnv1 = [];
+  const onlyInEnv2 = [];
+  const different = [];
+  const same = [];
+  const warnings = [];
+  for (const key of env1Keys) {
+    if (!env2Keys.has(key)) {
+      const value = env1Parsed.vars[key] ?? "";
+      onlyInEnv1.push({
+        key,
+        value1: isSecretVar(key, value) ? maskValue(value) : value,
+        value2: "",
+        isSecret: isSecretVar(key, value)
+      });
+    }
+  }
+  for (const key of env2Keys) {
+    if (!env1Keys.has(key)) {
+      const value = env2Parsed.vars[key] ?? "";
+      onlyInEnv2.push({
+        key,
+        value1: "",
+        value2: isSecretVar(key, value) ? maskValue(value) : value,
+        isSecret: isSecretVar(key, value)
+      });
+    }
+  }
+  for (const key of env1Keys) {
+    if (!env2Keys.has(key)) continue;
+    const value1 = env1Parsed.vars[key] ?? "";
+    const value2 = env2Parsed.vars[key] ?? "";
+    if (value1 === value2) {
+      same.push(key);
+    } else {
+      const isSecret = isSecretVar(key, value1) || isSecretVar(key, value2);
+      different.push({
+        key,
+        value1: isSecret ? maskValue(value1) : value1,
+        value2: isSecret ? maskValue(value2) : value2,
+        isSecret
+      });
+      const danger = detectDanger(key, value1, value2);
+      if (danger !== null) {
+        warnings.push(danger);
+      }
+    }
+  }
+  onlyInEnv1.sort((a, b) => a.key.localeCompare(b.key));
+  onlyInEnv2.sort((a, b) => a.key.localeCompare(b.key));
+  different.sort((a, b) => a.key.localeCompare(b.key));
+  same.sort();
+  warnings.sort((a, b) => {
+    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    const diff = severityOrder[a.severity] - severityOrder[b.severity];
+    return diff !== 0 ? diff : a.key.localeCompare(b.key);
+  });
+  return {
+    env1Name,
+    env2Name,
+    onlyInEnv1,
+    onlyInEnv2,
+    different,
+    same,
+    warnings
+  };
+}
+function formatComparison(comparison) {
+  const lines = [];
+  lines.push(`Comparing: ${comparison.env1Name} vs ${comparison.env2Name}`);
+  lines.push("\u2500".repeat(50));
+  if (comparison.warnings.length > 0) {
+    lines.push("");
+    lines.push(`\u26A0 ${comparison.warnings.length} warning(s):`);
+    for (const warning of comparison.warnings) {
+      const icon = warning.severity === "critical" ? "\u{1F534}" : warning.severity === "high" ? "\u{1F7E0}" : warning.severity === "medium" ? "\u{1F7E1}" : "\u{1F535}";
+      lines.push(`  ${icon} ${warning.key}: ${warning.message}`);
+    }
+  }
+  if (comparison.onlyInEnv1.length > 0) {
+    lines.push("");
+    lines.push(`Only in ${comparison.env1Name} (${comparison.onlyInEnv1.length}):`);
+    for (const diff of comparison.onlyInEnv1) {
+      lines.push(`  - ${diff.key}${diff.isSecret ? " [SECRET]" : ""} = ${diff.value1 || "(empty)"}`);
+    }
+  }
+  if (comparison.onlyInEnv2.length > 0) {
+    lines.push("");
+    lines.push(`Only in ${comparison.env2Name} (${comparison.onlyInEnv2.length}):`);
+    for (const diff of comparison.onlyInEnv2) {
+      lines.push(`  + ${diff.key}${diff.isSecret ? " [SECRET]" : ""} = ${diff.value2 || "(empty)"}`);
+    }
+  }
+  if (comparison.different.length > 0) {
+    lines.push("");
+    lines.push(`Different (${comparison.different.length}):`);
+    for (const diff of comparison.different) {
+      lines.push(`  ~ ${diff.key}${diff.isSecret ? " [SECRET]" : ""}`);
+      lines.push(`    ${comparison.env1Name}: ${diff.value1 || "(empty)"}`);
+      lines.push(`    ${comparison.env2Name}: ${diff.value2 || "(empty)"}`);
+    }
+  }
+  if (comparison.same.length > 0) {
+    lines.push("");
+    lines.push(`Same (${comparison.same.length}): ${comparison.same.join(", ")}`);
+  }
+  return lines.join("\n");
+}
+
+export {
+  compareEnvironments,
+  formatComparison
+};